Using Login IP Ranges for Stronger User Security

Did you know you can control access to your Salesforce organization based on user IP addresses? You can! If you’re an administrator who wants to understand login IPs and trusted IPs, this post is for you.

Want to improve user security for your organization beyond usernames and passwords? Use login IP ranges and trusted IP ranges to control the IP address ranges from which your users can log in to Salesforce.

Login IP ranges control login access for a user profile. Users with profile login IPs can only log in from IP addresses within the range; otherwise, they’re denied access to Salesforce. Login IP ranges are typically used to restrict login IPs at a granular level.

Trusted IP ranges control login access for an organization. When users log in from trusted IPs, they aren’t challenged to verify their identity (such as by entering a code sent to their mobile phone). Unknown users logging in from non-trusted IPs are challenged to verify their identity, and if successful, allowed to access Salesforce. Trusted IP ranges are typically used to “whitelist” IPs at the organization level.

Example: Assign Login IP Ranges to User Profiles

Suppose you want your internal users to log in to your Salesforce organization only from your internal corporate network. If they try to log in from an IP address outside your corporate IP range of 54.14.239.10 to 54.14.239.255, you want to deny them access.

So you assign a login IP range of 54.14.239.10 to 54.14.239.255 to all internal user profiles in your Enterprise edition organization.

After you set login IP ranges, if an internal user tries to log in from 55.15.150.210, the user receives an error message indicating that they can’t log in.

Login IP ranges get assigned to user profiles in Enterprise, Performance, Unlimited, Developer, and Database.com editions, which gives you the flexibility of restricting access on a more granular, per profile basis. For example, you can assign different IP ranges to external user profiles and internal user profiles.

Example: Assign Trusted IP Ranges to Your Organization

Similar to the previous example, suppose you want your users to log in to your Salesforce organization from your internal corporate network. If an unknown user (such as a user logging in from a new device) tries to log in from an IP address outside your corporate IP range, you want them to verify their identity first and then get access.

So you assign a trusted IP range of 54.14.239.10 to 54.14.239.255 to your organization using Network Access.

After you assign trusted IPs, if anyone tries to log in from 55.15.150.210, they are prompted to verify their identity via a code or authentication app. After they verify their identity successfully, they can access Salesforce.

Chart: How the Features Work Together

Remember, whenever you assign login IPs or trusted IPs, test the assignments thoroughly to understand the impact on your users and organization.